You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Restrict Request Source to Cornell Campus IPs

Here's a simple IAM policy that you can add to any existing IAM Group, User, or Role to ensure that the role is only utilized from a computer that has a Cornell public IP address

Add this policy as an inline policy attached to any IAM User, Group, or Role. This policy cannot be used alone. The IAM User, Group, or Role must also be granted the privileges you want the user/group/role to have. See also https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html.

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Deny",
        "Action": "*",
        "Resource": "*",
        "Condition": {
            "NotIpAddress": {
                "aws:SourceIp": [
                    "128.84.0.0/16",
                    "128.253.0.0/16",
                    "132.236.0.0/16",
                    "192.35.82.0/24",
                    "192.122.235.0/24",
                    "192.122.236.0/24"
                ]
            }
        }
    }
}

Restrict Scope of EC2 to One AWS Region

Add this policy to a managed policy, user, role, or group to restrict the scope of EC2 activity to just us-east-1 AWS region.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringNotEquals": {
                    "ec2:Region": "us-east-1"
                }
            },
            "Action": "ec2:*",
            "Resource": "*",
            "Effect": "Deny"
        }
    ]
}
  • No labels